Cloud organization users
Elastic Cloud Hosted Serverless
When you sign up to Elastic Cloud, you create an organization. This organization is the umbrella for all of your Elastic Cloud resources, users, and account settings. Every organization has a unique identifier.
You can perform the following tasks to control access to your Cloud organization, your Elastic Cloud Hosted deployments, and your Elastic Cloud Serverless projects:
- Manage users: Invite users to join your organization and manage existing users.
- Assign user roles and privileges:
- Manage organization-level roles and high-level access to deployments and projects.
- If you have Elastic Cloud Serverless projects, assign project-level roles and create custom roles.
- Configure SAML single sign-on for your organization.
If you're using Elastic Cloud Hosted, then you can also manage users and control access at the deployment level.
Elastic Cloud Hosted
For Elastic Cloud Hosted deployments, you can configure SSO at the organization level, the deployment level, or both.
The option that you choose depends on your requirements:
| Consideration | Organization-level | Deployment-level |
|---|---|---|
| Management experience | Manage authentication and role mapping centrally for all deployments in the organization | Configure SSO for each deployment individually |
| Authentication protocols | SAML only | Multiple protocols, including LDAP, OIDC, and SAML |
| Role mapping | Organization-level roles and instance access roles, Serverless project custom roles | Built-in and custom stack-level roles |
| User experience | Users interact with Cloud | Users interact with the deployment directly |
If you want to avoid exposing users to the Elastic Cloud Console, or have users who only interact with some deployments, then you might prefer users to interact with your deployment directly.
In some circumstances, you might want to use both organization-level and deployment-level SSO. For example, if you have a data analyst who interacts only with data in specific deployments, then you might want to configure deployment-level SSO for them. If you manage multiple tenants in a single organization, then you might want to configure organization-level SSO to administer deployments, and deployment-level SSO for the users who are using each deployment.